Software Integrity

Hajime and Mirai locked in an IoT botnet turf war

Last fall, someone released a benign worm looking to protect Internet of Things (IoT) devices from more dangerous worms. Known as Hajime, the vigilante malware appears to be designed to block another IoT worm, Mirai. The two are chasing each other around the world. Each are locked in a weird internet turf war seemingly bent on IoT domination and we have already seen collateral damage from it.

Virus vs worm

First, some basic terminology here.

A computer virus is a string of malicious code that can’t propagate unless someone spreads it (either knowingly or unknowingly). One of the first computer viruses was the Michelangelo virus which required users to boot from an infected floppy disk. Michelangelo promptly locked up the computer if the date on the computer was March 6, the artist’s birthday. Another famous virus was the Melissa virus which required users to open compromised Word documents. Although it did send email copies of itself to everyone on an Outlook contact list, it first required someone to open the infected attachment.

Worms, on the other hand, are self-propagating. The first computer worm was the Morris Worm, created by the son of a famous computer researcher, Robert Morris. It exploited vulnerabilities in sendmail, finger, and weak passwords to spread from machine to machine. Today worms are much more common, using command and control centers to direct their spread.

Mirai

Mirai, which is named by its author for the Japanese word for “future,” scans the internet looking for hardcoded passwords in internet-connected surveillance cameras. In October, its author released the source code. This is often done because the code no longer has street value, or the author wants to stop copycat code by diminishing its street value. Either way, someone took it upon themselves to beef up the now-public Mirai source code and turn it into a botnet, a collection of compromised devices that can together can be used for greater purposes.

In late October, the Mirai botnet became famous for its distributed denial of service attacks (DDoS) on Dyn, a content delivery network, and therefore its customers, Twitter, Reddit, and other popular sites among them. This DDoS attack affected both coasts of North America. Later, Mirai was used in a DDoS attack against Deutsche Telekom.

Hajime

Predating the release of the Mirai source code was Hajime on or close to September 25, 2016. Hajime, which is named by researchers for the Japanese word for “beginning,” scans random IPv4 addresses on the public internet. Using port 25, (Telnet), it attempts to use several username and password combinations from a peer-to-peer generated list of credentials. Here the controller sends out command modules which propagate over time through a peer-to-peer network.

According to researchers at Rapidity Networks, Hajime uses a two-part system common to most malware today. The first part is a simple file transfer that copies a much larger download program. The second part, the download, contacts the command and control peer-to-peer network and begins scanning the public internet for more vulnerable systems to infect. The use of a peer-to-peer network is a much more robust design for a botnet, one that makes takedowns difficult.

Payload

There are no malicious payloads associated with Hajime. At this time there’s no mechanism for it to launch a DDoS. Besides scanning the IPv4 internet space, Hajime displays the following message on any infected console:

Just a white hat, securing some systems. Important messages will be signed like this! Hajime Author. Contact CLOSED Stay sharp!

The white hat—or good guy—claim appears to be correct. According to Symantec “(t)o the author’s credit, once the worm is installed it does improve the security of the device. It blocks access to ports 23, 7547, 5555, and 5358, which are all ports hosting services known to be exploitable on many IoT devices. Mirai is known to target some of these ports.”

Pyrrhic victories

The changes made by Hajime, however, only affect the device’s RAM memory, which is temporary. Should the IoT device be rebooted, ports 23, 7547, 5555, and 5358 open again and the device becomes vulnerable to Mirai and other IoT-focused malware.

Permanently updating the firmware on a large scale becomes impossible in IoT because each device requires a unique process, one dependent on chip set and RTOS, and other factors. Often updates are not possible due to the lack of onboard resources. Or, there is the need for physical access.

The Minecraft connection

Given this tit-for-tat relationship between the worms, it is entirely possible that the authors of Hajime and Mirai know each other or at least know of each other. Security writer Brian Krebs has offered a theory that the Marai botnet came out of the Minecraft gaming culture. As evidence, he cites that Mirai is derived from the qBot, a botnet fueled by IoT devices that targeted Minecraft users in 2015. Hajime also has bits of qBot code.

The timing of the Mirai source code release also suggests that its author, someone using the nickname Anna Senpai, which means “upper classman” in Japanese, might have known that the Hajime worm would block some of its infections and therefore lower its value on the street. Instead, Mirai was offered up to the public a few days later. If true, neither has stopped the other from infecting IoT devices. If anything, it’s called more attention to the problem of IoT-based botnets.

Stopping Hajime (or Mirai)

Security professionals can secure their IoT devices against malware infections by taking the following actions: